Requirement text: SC.3.191: Protect the confidentiality of CUI at rest.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-17 R2
Information at rest refers to the state of information when it is not in process or in transit
and is located on storage devices as specific components of systems. The focus of protection
at rest is not on the type of storage device or the frequency of access but rather the state of
the information. Organizations can use different mechanisms to achieve confidentiality
protections, including the use of cryptographic mechanisms and file share scanning.
Organizations may also use other controls including secure off-line storage in lieu of online
storage when adequate protection of information at rest cannot otherwise be achieved or
continuous monitoring to identify malicious code at rest.
CMMC CLARIFICATION
CUI at rest means information that does not move through the network and may be stored
on hard drives, media, and mobile devices. Develop a scheme and implement the necessary
security controls to protect the confidentiality of CUI at rest. Although an approved
encryption method protects data stored at rest, there are other additional technical
solutions. The scheme you choose should depend on your organization’s environment and
business needs.
Example 1
You are an IT administrator at your organization responsible for protecting CUI at rest. Your
company has a policy stating CUI must be protected at rest and you work to enforce that
policy.
You research Full Disk Encryption (FDE) products that meet the FIPS encryption
requirement. After testing, you roll out the encryption to all computers at your company to
protect CUI at rest.
Example 2
You are an IT administrator for your company. While you have used encryption to protect
the CUI on most of the computers at your company, you have some devices that do not
support encryption. Your company creates a policy requiring these devices to be signed out
when needed, stay in possession of the signer when checked out, and to be signed back in
and locked up in a secured closet when the user is done with the device. At the end of the
day each Friday, you audit the sign-out sheet and make sure all devices are returned to the
closet.
References
• NIST SP 800-171 Rev 1 3.13.16
• CIS Controls v7.1 14.8
• NIST CSF v1.1 PR.DS-1
• NIST SP 800-53 Rev 4 SC-28